privacy notice


Updated: 18/08/2020

introduction

This Privacy Notice sets out your rights and answer any queries you may have about how Crux Product Design Ltd ("Crux") collects, uses and protects your personal data. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at privacyteam@cruxproductdesign.com.

Please ensure that you read this notice and any other notices you may be provided with when we collect or process personal information about you. Doing so will help you make informed decisions about sharing your personal information with us.

Crux may update this policy by updating this notice. We recommend checking this privacy notice periodically to ensure that you are happy with any changes.

who are we?

We are Crux Product Design, a limited company registered under number 04893244. We are also registered as a controller in relation to personal data with the Information Commissioner's Office (ICO) under number ZA558972.

Our business involves working with clients to design products which have to work in the real world. This includes conducting studies to see how users interact with products. While we need to collect and use your information to do so, we do not sell or make any money from it.

how can you contact us about your data?

Crux Product Design Ltd
Flatiron Building
332-336 Paintworks
Bristol
BS4 3AR
United Kingdom

Tel: 0117 300 9788

Email: privacyteam@cruxproductdesign.com

how do we use your information?

This notice explains what personal data (information) we will collect from or about you during your interactions with us. The following sections describe the information we collect from you when you are:

1. Visiting our website or engaging on social platforms

When you visit our website www.cruxproductdesign.com, and use our services, you trust us with your personal information.

This privacy policy applies to all information collected through our website (such as http://www.cruxproductdesign.com), and/or any related services, sales, marketing or events (we refer to them collectively in this privacy policy as the "Services").

1.1 What information will we hold about you?

We collect and process personal data from the following sources:

1.1.1 Personal information you disclose to us

We collect personal information that you voluntarily provide to us when expressing an interest in obtaining information about us or our products and services, when participating in activities on the Services or otherwise contacting us.

The personal information that we collect depends on the context of your interactions with us and the Services. The personal information we collect can include the following:
  • Your name;
  • phone numbers;
  • business email;
  • business phone number;
  • business address;
  • social media; and
  • other similar data.
Data is stored on our secure CRM platform.


1.1.2 Information automatically collected

Some information — such as IP address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

We also collect information through cookies and similar technologies.
  • IP addresses;
  • cookie identifiers, or others such as the ones used for analytics and marketing;
  • devices;
  • device's geolocation; and
  • other similar data.

1.2 Where do we get your information from?

We obtain this information directly from you or other members of your organisation. We may also obtain this information from your public profiles available online, primarily LinkedIn. Where this is the case, we will be transparent about our collection of your personal data and we only contact people who we believe will have an interest in our services.

1.3 How do we use this information and what is the legal basis for this use?

We process your information collected in section 1.1 for purposes based on legitimate business interests, the fulfilment of our contract with you, compliance with our legal obligations, and/or your consent.

We use the information we collect or receive:

  • To send you focused marketing communications regarding select material we believe will be of interest or bespoke communications on relevant thought leadership or as Whitepapers based on the market sector you work. You can opt-out of our marketing emails at any time (see section 9 below).
  • To send administrative information to you. We will use your personal information to send you product, service and new feature information and/or information about changes to our terms, conditions, and policies.
  • To protect our Services. We will use your information as part of our efforts to keep our Services safe and secure (for example, for fraud monitoring and prevention).
  • Analysis and improvement. We will use your information for data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our Services, products, marketing and your experience. We will use and store this information in aggregated and anonymized form so that it is not associated with individual end users. We will not use identifiable personal information without a specific lawful basis in place.

1.4 Who will we share your information with?

We use other companies to provide us with telephony, email and other IT services. We have put in place agreements with these companies to ensure that they will only process your information as requested by us and in accordance with data protection law.

We only share and disclose your information with the following third parties. We have categorized each party so that you may easily understand the purpose of our data collection and processing practices. If we have processed your data based on your consent and you wish to revoke your consent, please contact us.

  • CRM - Pipeliner
  • Content Optimisation - MailChimp plugin
  • Retargeting - LinkedIn website retargeting
  • Email and communication - Office 365

1.5 Do we use cookies or other tracking technologies?

We use cookies and other tracking technologies to collect and store your information.

We may also use cookies and similar tracking technologies (like web beacons and pixels) to access or store information. Where this involves cookies that are not strictly functional for the operation of our website, we will ask you for your consent prior to those cookies being placed on your device.

We use Google Analytics to collect information about how people use our website. Google Analytics stores information about behaviour on our website, such as referrals, pages you visit and what you click on. We do not allow Google to share our analytics data. We do this to understand how we can improve our website and make sure we are meeting the needs of our users.

1.6 How long will you keep my personal data?

Crux will retain your personal information for as long as it believes is necessary to fulfil the purposes for which the information was collected (including for the purpose of meeting any legal or other reporting requirements or obligations).

We will not retain your personal information for longer than 2 years after our relationship with you had ended. If you do use our services, we will need to retain certain information for a longer period to meet our legal obligations (for example, financial records).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

2. Visiting our Office

We use CCTV at our offices for security and the personal safety of our staff and visitors. Signage is in place in to inform all visitors that we have CCTV. Any captured data is only accessible to limited members of staff within Crux and is stored for 30 days before being automatically deleted.

3. Applying for a job

When you apply for a job with us, Crux will collect and process personal data about you.

3.1 What information will we hold about you?

The personal data we process includes:

  • Your name, home address, email address and/or phone numbers;
  • your date of birth, marital status, nationality and National Insurance number (where you provide this to us);
  • your educational and employment history;
  • other information contained within your CV or other documents or information you submit to us;
  • information from the selection process, if any;
  • references and assessments relating to your work for previous employers;
  • information to confirm your identity and right to work, such as a copy of your passport;
  • any access requirements you may have in attending an interview;
  • details of any unspent criminal convictions; and
  • information relating to your feedback on our organisation.
Crux does not collect information relating to your ethnicity, gender, disability, religion, sexual orientation and other diversity-related information as part of our recruitment process.

3.2 Where do we get your information from?

We obtain this information directly from you, as well as from third parties such as recruitment agencies, background checking companies or former employers where seeking a reference. We may also check any publicly available social media profiles (primarily LinkedIn) where this is relevant as part of our recruitment process e.g. for checking employment history.

3.3 How do we use this information and what is the legal basis for this use?

We process the personal data listed in section 3.1 above for the following purposes only in accordance with our legitimate business interests and legal obligations as an employer:

  • To make recruitment decisions;
  • to meet our accessibility requirements; and
  • to prevent and detect fraud and other wrongdoing.

3.4 Who will we share your information with?

Your personal data will only be shared with Crux employees involved in the recruitment process.

This includes HR (including HR consultants), interviewers involved in the recruitment process, managers in the business area, including Operations and IT staff (including contractors) if access to the data is necessary for the performance of their roles.

We use other companies to provide us with telephony, email and other IT services. We have put in place agreements with these companies to ensure that they will only process your information as requested by us and in accordance with data protection law.

Crux will not share your data with third parties unless your application is successful, and it makes you an offer of employment. Crux may then share data with former employers to obtain references.

3.5 How long will you keep my personal data?

We will not keep your personal information for longer than is necessary. We will keep the personal data connected to your job application (including any interview records) for 6 months from the end of the recruitment process.

In some instances, we may ask for your consent to retain your data for a longer period if a suitable position is not immediately available. If your application is successful and you become a member of staff, we will provide you with a copy of the Employee Privacy Notice. The retention periods referred to therein will apply to your personal data during your employment.

4. Using our services

When using Crux for your project, we need to collect and process personal data about to fulfil our contractual obligations to you as a Client.

4.1 What information will we hold about you?

The personal data we process includes:

  • Your name;
  • your job title;
  • your company and department;
  • your business address;
  • your business email address; and
  • the phone numbers provided to us.

4.2 Where do we get your information from?

We obtain this information directly from you or other members of your organisation. We may also obtain this information from your public profiles available online, primarily LinkedIn. Where this is the case, we will be transparent about our collection of your personal data.

4.3 How do we use this information and what is the legal basis for this use?

We process the personal data listed in section 4.1 above to fulfil our contractual obligations to you as a Client in accordance with our legitimate business interests. This data is used by Crux to:

  • Provide you with quotations;
  • send and agree contractual information;
  • enable project communication;
  • send project deliverables; and
  • provide service updates.

4.4 Who will we share your information with?

Your personal data will only be available within Crux to Crux Directors, senior team members and relevant Crux project team members.

We use other companies to provide us with telephony, email and other IT services. We have put in place agreements with these companies to ensure that they will only process your information as requested by us and in accordance with data protection law.

4.5 How long will you keep my personal data?

Crux will retain your personal information for as long as is necessary to provide our services to you and for our own purpose in meeting legal and business obligations after completion of a project (including for the purpose of meeting any legal, accounting or other reporting requirements or obligations).

This means Crux may retain your personal information after the project ends for a minimum of the 7 following tax years.

5. Supplying to us

We collect and process personal data about you when you are a Crux supplier.

5.1 What information will we hold about you?

The personal data we process includes:

  • Contact names and job titles;
  • your business address,
  • your business email addresses and phone numbers;
  • your organisations bank details; and
  • data to allow us to qualify you as an approved supplier.

5.2 Where do we get your information from?

We obtain this information directly from you or other members of your organisation. We may also obtain this information from your public profiles available online, for example on your company's website.

5.3 How do we use this information and what is the legal basis for this use?

We process the personal data listed in section 5.1 above to fulfil our contractual obligations to you as a Supplier in accordance with our legitimate business interests.

This data is used by Crux to:

  • Discuss requirements;
  • send and agree contractual information;
  • enable project communication;
  • send you requests for quotation; and
  • receive project deliverables.

5.4 Who will we share your information with?

Your personal data will only be available to the relevant teams within Crux.

We use other companies to provide us with telephony, email and other IT services. We have put in place agreements with these companies to ensure that they will only process your information as requested by us and in accordance with data protection law.

5.5 How long will you keep my personal data?

Crux will retain your personal information for as long as our business relationship is active and for our own purpose in meeting legal and business obligations after completion of a project (including for the purpose of meeting any legal, accounting or other reporting requirements or obligations).

This means Crux may retain your personal information after the project ends for a minimum of the 7 following tax years.

6. Research recruitment

As part of our service offering Crux undertakes User Research. In order to recruit people to take part in studies we collect information to allow us to assess suitability of participants to take part.

If you are selected to take part in a user study, you will be provided with a specific Privacy Notice relating to that study prior to taking part.

If you would like another copy of any Privacy Notices or any other documentation provided, please request this via the contact details above.

6.1 What information will we hold about you?

The personal data we process includes:

  • Your name, age, identity and contact details;
  • your answers to any questions that you have been asked to assess whether you meet the eligibility criteria to take part in a study
  • depending on the nature of the product, you may be asked to provide sensitive information about health and medical conditions; and
  • if you have responded to one of our own campaigns through our website or any other online form, our servers will collect the IP address assigned to you or the person that provides you with Internet access.

6.2 Where do we get your information from?

We obtain this information directly from you or from one of our recruitment partners in response to a recruitment campaign. Those recruitment campaigns may take place through social media platforms, such as Facebook. We do not use Facebook to collect personal data about potential participants in our research – an email link is provided within our adverts to register your interest.

6.3 How do we use this information and what is the legal basis for this use?

We will only use your information:

  • To assess whether you are eligible to take part in a study;
  • to contact you in relation to other studies that may be applicable;
  • to make arrangements with you to take part in a study; and
  • if necessary, to defend any legal claims brought against us or our client in relation to the recruitment of participants to take part in a study.
There are six lawful grounds for using your information and we need to satisfy one for each separate purpose we intend to use your information for.

For all of the purposes described above, we will rely on our legitimate interests. We have undertaken an assessment of our legitimate interests and how we balance those with your rights and freedoms.

Where we collect any sensitive information about you, such as information about health or medical conditions, we also have to satisfy one additional condition. The conditions that we will rely on will be:
  • If the product is a regulated medical device or the purpose of the study is to support a client's application for regulatory approval for a medical device, ensuring high standards of quality and safety in relation to the use of such product
  • If the product is not a medical device, for scientific research purposes

6.4 Who will we share your information with?

We will keep your information separate from information we hold about our general business activities and access to your information will be limited to those who need access to it for the purposes described above.

We use other companies to provide us with telephony, email and other IT services. We have put in place agreements with these companies to ensure that they will only process your information as requested by us and in accordance with data protection law.

In very rare circumstances, we may have to share your information with a court or other regulatory authority in response to an order or other legal request. Where we are allowed to do so, we will notify you of this.

6.5 How long will you keep my personal data?

If you do not meet the eligibility criteria for a study, then we will delete your information unless you agree that we may keep your details on record for any future studies which you may be eligible for. If such opportunities do not arise within 2 years, we will delete your information. For some potential participants with specific medical or heath conditions, we may retain your personal data for a longer period as studies in certain areas occur less frequently and it is important that we have enough participants for a study to be viable. Where this is the case, we will seek your consent prior to retaining your personal data for a longer period, in line with the above purpose.

If you meet the eligibility criteria for a study, we will retain your information for the same period that we retain the information held about you as a result of taking part in the research, which will be seven years from the date that we deliver our report to our client.

And details the following policy information:

7. How we keep your information secure?

Crux have put in place a number of measures to protect your information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include:

8. Where is my data stored?

The personal data that we collect from you is stored within the European Economic Area ("EEA"). In some cases, we may transfer your personal data to countries outside the European Economic Area. Where we do so we will ensure that you are made aware, that such transfers are compliant with the General Data Protection Regulation and that appropriate measures are put in place to keep your Personal Data secure. The only exceptions to this is as follows:

Customer data is processed and secured in the EU before being transmitted and stored in the US in order to provide additional redundancy for critical components of our system. Hubspot act as our data processor for this purpose and are compliant with the EU-US Privacy Shield. We also have a written agreement in place with Hubspot in relation to the service they provide us with and how they must handle the data.

9. What are your rights in relation to your personal data?

You have several rights in relation to the information we hold about you, including the right to request a copy of your personal data (commonly known as a 'subject access request') and the right to have any inaccurate or incomplete personal data about you corrected. In certain circumstances, you have the right to request deletion of the personal data we hold about you, ask us to restrict how we use it or object to our holding it.

Please note that there are some limited circumstances and exemptions where these rights may not apply.

You also have the right to make a complaint to the ICO about how we have used your personal data, https://ico.org.uk/make-a-complaint/ For further information about your rights, visit the ICO's website, https://ico.org.uk/your-data-matters/.

If you want to exercise any of your rights or you have any questions regarding this notice, you can contact on the details in the sections below.

10. How you can find more information about how Crux handles your data?

Should you have any queries regarding this Privacy Notice, Crux's processing of your personal data or wish to exercise your rights you can contact Crux's Privacy Team using this email address: privacyteam@cruxproductdesign.com

If you are not happy with our response, you can contact the Information Commissioner's Office: https://ico.org.uk/make-a-complaint/